[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16226800#comment-16226800
]
Jason Lowe commented on YARN-7197:
----------------------------------
I was under the impression the blacklist would only mount the empty directories
if the user was attempting to mount a higher, whitelisted directory in the
blacklist path. Any attempt to mount the blacklist directly would still fail
the container as the current patch does. So in other words, a blacklist of
{{/run}} would never mount an empty directory (using a basic assumption nobody
would add {{/}} to the whitelist) and just fail the container if anyone
attempted to mount anything at {{/run}} or under it. A blacklist of
{{/run/docker.socket}} would only mount an empty file/dir onto
{{/run/docker.socket}} if {{/run}} was in the whitelist and the user tried to
mount {{/run}}.
In short, we only blacklist when we need to. If the container can't work due
to the mounted blacklisted paths then the user will need to stop mounting above
the path and instead cherry-pick the whitelisted paths around the blacklisted
ones. That's something they'll have to do anyway if we don't add this feature
and simply document how to properly setup the whitelist.
> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
> Key: YARN-7197
> URL: https://issues.apache.org/jira/browse/YARN-7197
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Eric Yang
> Attachments: YARN-7197.001.patch, YARN-7197.002.patch
>
>
> Docker supports bind mounting host directories into containers. Work is
> underway to allow admins to configure a whilelist of volume mounts. While
> this is a much needed and useful feature, it opens the door for
> misconfiguration that may lead to users being able to compromise or crash the
> system.
> One example would be allowing users to mount /run from a host running
> systemd, and then running systemd in that container, rendering the host
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist
> would be where we put files and directories that if mounted into a container,
> are likely to have negative consequences. Users are encouraged not to remove
> items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
